ISF Says Prepare Now for Security Threats Coming in 2016

The Information Security Forum (ISF), a research organization serving 300-plus member companies, circling the globe and hitting every key vertical market, has released its latest Threat Horizon report. The report highlights 10 key threats ISF anticipates members will face in 2016 while also offering a rundown of the key security challenges this year. ISF Global Vice President Steve Durbin calls the report "one of the most exciting" the ISF has ever produced. While many people view the era it predicts as "sort of apocalyptic," Durbin told eWEEK, "I don't see it that way. The basic norms have altered, but that makes for a very dynamic environment. We're really seeing a difference between the new [chief information security officers] and the old-school ones, who would love to be left on their own to control the firewall." In a world in which a popular online take-out menu can offer hackers a backdoor into a heavily guarded business, enterprises need to make sure their smallest partners aren't also their biggest threats. "There's a role for organizations like the ISF to put some of these guidelines out there, in conjunction with government agencies, and offer smaller businesses free information," said Durbin.

1 of

ISF Says Prepare Now for Security Threats Coming in 2016

by Michelle Maisto

The Threat Horizon, 2014-2016

Over the next two years, the ISF expects businesses to move from a time of growing cyber criminality (2014) to crime as a service (CaaS) upgrading to version 2.0 (2015) and eventually encryption measures failing (2016). While in 2015 a challenge will be many CEOs still "not getting it," by 2016 they will have figured it out, and chief information security officers (CISOs) had better have the skills and tools to deliver, the study said.

Nation-State Backed Espionage Goes Mainstream

If before government espionage activities were behind the scenes, by 2016 they'll be out in the open and the result will be an "even more unruly cyberspace trading environment." The ISF advises building relationships within and across industry sectors. "The government was never really in our corner anyway," Durbin said. "For me, real trust is about how you build trust with the partners you build business with."

A Balkanized Internet Complicates Business

"Nation-states will take a local approach to Internet governance, attempting to draw geopolitical borders on the Internet," the ISF said in the report. Prepare now by creating partnerships for information sharing and engaging in "multi-stakeholder governances processes to share intelligence."

Unintended Consequences of State Intervention

Even organizations not implicated in wrongdoing will suffer collateral damage as authorities "police 'their corner of the Internet,'" according to the report. Durbin said the ISF recently changed its nondisclosure agreements for U.S. members, to take into account that they may have to disclose information to the government, if required. "It's about organizations understanding what governments are able to ask for and being open about that with partners. In the past, we didn't have this kind of openness."

Service Providers Become a Key Vulnerability

The ISF advises fostering strong working relationships with service providers "with the aim of becoming partners." Durbin said, "The smaller guys are a weak link, because they often don't have the security in place. If you're an acquiring organization, why not share information? Or be clear about what [security practices] you require from suppliers."

Big Data Equals Big Problems

Organizations that put blind faith in big data will make strategic decisions based on faulty or incomplete data sets. Avoid this by outlining a process for applying big-data analytics to information security problems, the ISF advised. "Security still hasn't made use of all the tools that business makes availablelike big data," Durbin said. "But increasingly, it's front and center."

Mobile Apps Become Main Route for Compromise

Try to find innovative ways to keep workers alert to the risks of "bring your own anything" (BYOx), the report said. One way people are doing this, Durbin said, is "5 to 9 initiatives," that talk about what people do at home and how they can do those things more safely. They then naturally bring those best practices into the workplace, eliminating the need for a shift in behavior.

Encryption Fails

"People felt that encryption was the security [measure]. That assumption has proven to be not the case," Durbin said. Businesses should prepare themselves by identifying their most sensitive assets and preparing appropriate solutions for protecting them. All data is not created equal, and so neither should their protections be the same.

The CEO Gets It, Now You Have to Deliver

The CISO will need to demonstrate value. Prepare for this by aligning the "security function with the organization's approach to risk management," the report said. Durbin added that security should be treated like any other business risk; CISOs don't want to be put in a position of justifying the cost of security when there isn't a breach. "Make security a business cost," says Durbin.

Skills Gap Becomes a Chasm

The skills gap is widening; prepare by developing talent and creating incentives to retain it. Durbin said businesses need to be more aggressive about getting the skill sets that they need. "Government is looking for the same skills as the private sector … which raises another challenge around trust," he adds.

Information Security Fails to Work With New Generations

"Those who grew up with security [and] privacy questions have a different perspective than those of us coming to it later. Security [means] different things to different people, and that creates a challenge," Durbin said. Prepare by adapting policies and procedures to engage generations Y and Z. Their approaches to "work, socializing and privacy are vastly different … and they won't fit with the traditional security models," the report said.